Patch Management System Best Practices

In our era of high-profile, high-cost security breaches, network security is more crucial than ever, and crucial to network security is patching. I sat down with Chiranjeev Bordoloi to discuss important steps admins can take to optimize their patch management and secure their networks.

Bordoloi, CEO of patch management and vulnerability remediation firm TopPatch, has spent over two decades in the field and frequently appears on CNBC, CBS, and NPR to discuss cyber security issues. In his opinion, patching is critical to security, and an effective patch management system—or lack thereof—can make or break an enterprise's ability to fend off malware and other attacks.

Why networks don't get patched

Without an effective patch management system to help automate patching, the day-to-day realities of life in the IT trenches can sabotage even the best intentions, according to Bordoloi:

What we see out there in the field is that the C-suite defines policy, but the system administrators have to implement it. Many of them are putting out fires daily; they don't have time to do the preventive maintenance needed to patch network weaknesses. A policy may mandate that you have to apply critical patches to all systems by a certain timeframe, but a system admin looks at that and says, "Wow, how am I going to do this? I'm running multiple operating systems and I've got hundreds or thousands, or hundreds of thousands, of servers and one of me." So they end up not doing it.

And then, of course, networks become vulnerable to attack.

Patch management systems can ease the burden on admin while maximizing security. Bordoloi offered several practical tips to get the most out of yours.

APIs for integration

When choosing a patch management system, Bordoloi said, look for one with "extensive APIs to integrate with other enterprise systems, such as vulnerability scanners." Neither a patch management system nor a vulnerability scanner can operate to maximum effect on its own. "Scanners can tell you when a patch is missing, but that's not useful unless it's integrated with the patch management system, which can then apply that patch." Those APIs are vital to achieving that integration.

To further illustrate the importance of APIs, Bordoloi described TopPatch's work with "a big bank that runs a lot of Linux," for which the bank hired TopPatch. Those Linux servers, he said, "were unpatched for a while, and their Red Hat Linux servers were exposed," especially to threats coming in via Adobe and Java applications, the latter being, in his words, "the greatest security threat to enterprises today." APIs, Bordoloi said, allow the patch management system to secure the relevant servers while playing nicely with other systems, keeping the bank's infrastructure up, running, and safe.

Cross-platform uniformity

For maximum security, admins need to apply patches uniformly across all platforms, Bordoloi told me, adding that in many cases, they don't. Typically, "a lot of system administrators patch Windows machines in a timely manner but leave their Linux systems open," due to the less-intuitive nature of Linux operating systems. Red Hat Linux, according to Bordoloi, is "especially painful to patch," and administrators often neglect Macs, too.

And in larger organizations with a dedicated administrator for each platform, specialization can create its own problems. "Linux administrators don't typically understand Windows very well, and vice versa," Bordoloi said. "So in a company where there's a Linux administrator and a Windows administrator and one of them goes on vacation, that leaves all those machines exposed."

To meet these challenges, Bordoloi recommends a cross-platform patch management system that all admins can learn and use, so that if one admin is away when a critical security patch is released, another can push out the patch.

Test your patches before you push them

Once your patch management system is in place, make sure patches work within your environment before pushing them out. "As we know," Bordoloi said, "patches break stuff." Vulnerabilities in third-party applications require frequent patching, but patches can create conflicts and cause problems with other software. To avoid this, Bordoloi advises that patch management policies mandate test environments with "automated system health monitoring, and that proactively issue notifications, based on preset parameters of memory, CPU, and hard drive usage."

"It's not Patch Tuesday anymore"

We live in a different world than the one of just a few years ago. Patches, Bordoloi pointed out, "get released very frequently now—it's not Patch Tuesday anymore. Now there are a lot of out-of-band patches, mostly security patches. They might come out on a Friday." And if they do, enterprises need an effective patch management system to push them out as fast as admins can manage, because the danger to networks is greater than ever.

"Hackers are very technical people," Bordoloi said. "They know what goes on. They realize how painful patching is. They realize how many systems are unpatched, and they write malware to target those unpatched vulnerabilities." But with a strong patch management policy and system in place, those hackers won't get to you.